FBI Assistant Director Bryan Vorndran: Hello again, everyone. Bryan Vorndran here with the FBI's Cyber Division. And joining me, as always, is Jamil Farshchi, the chief technology officer at Equifax. We're going to do our Top Three before we get into a prerecorded episode. Today's Top Three are LockBit; second, we'll talk about microransoms; and we'll talk about an FBI advisory that just got sent out, where scammers are impersonating the FBI. So Jamil, welcome back, as always.

FBI Strategic Engagement Advisor Jamil Farshchi: Thank you for having me.

Vorndran: All right, well, listen, on LockBit. We know when we look at these ransomware groups—and certainly, LockBit is a very famous one, a well-known one—we know that the time that they stay down is always going to be measured most likely in months. And here we are with LockBit, again, coming back into the focus, in the picture.

And listen, the reality is that this is a way of reality for us here in the United States and across the world in terms of how these individuals in these ransomware groups have safe haven status in and around Russia, and how difficult it is for us to keep the adversary down. You know, you combine that with the field being tilted in the direction of the adversary, with non-responsible…non-responsive virtual asset service providers, being non-responsive to the FBI and other global law enforcement partners, bulletproof hosters, the list goes on. The field is just tilted in the wrong direction. And so LockBit has started to make a comeback.

Jamil, any thoughts?

Farshchi: I mean, outside of the disappointment that they're back, it's a multiheaded-Hydra thing. I think the takeaway for me is that the LockBit brand equity has survived. It's like they're affiliates are essentially franchisees who keep the signage and rebuild the store. And they get free marketing from the headlines here.

And I would, to some degree, worry that affiliates can claim this logo to potentially jack up negotiation leverage. So, IR team shouldn't necessarily immediately trust the name on the ransom note that comes through. So, that'll be some guidance there.

But I think longer term, we need to find a way to have better sort of follow through plans on this kind of stuff to see if there's meaningful ways to be able to freeze the revenue flows. I mean, crypto mixers, like you said, bulletproof or whatever it might be. Otherwise, the brand is just going to reincarnate, like there's a lot of money at stake. And this stuff doesn't go away easily as we…as we’re…as evidenced by this case right here.

Vorndran: Yep, I agree. All right, on to microransoms. Jamil?

Farshchi: The microransoms. This is an interesting story that… so… Malwarebytes has come out and had their…what is it called? 2025 report for fastest growing extortion vector. And so, what's happening and what they're saying is that there's these new agent bots that scrape breach data and they spin up convincing personas, and then they negotiate via chat, and they demand small, quick payments. So, like, no encryption, no nothing, no ransomware needed or anything like that. They'll say, ‘hey we're going to post these photos of you,’ or their information or whatever it might be, and they're small, so the money exchanging hands here it's, you know, the requests are—the extortions are two to 500 bucks and stuff like that.

I think this one is interesting just because it's a different play on a similar story that we've been experiencing in the enterprise world for quite some time now, which is extortions. But these are micro-extortions. And, and because they're fully automated by AI, they can do them at scale and in perpetuity.

And so, I think this is…I don't know that I have any direct guidance on how to solve for this right now, aside from just make sure that you keep your data safe and you're not overly sharing it with third parties and organizations, and stuff like that. But, outside of that, it feels as if, because of the scale and the economics here, we could see a lot more of this going forward. And it could become, to some degree, a primary focus area for the threat actors. Instead of having to go after the big whales and get through the security controls and all of the additional visibility that organizations have because of the investments that they make in security, just target the little guy. And by doing that, even if it's $500 a pop, if you can do that at scale, then you might make more than you ever could have dreamed, potentially, if you're targeting organizations.

Vorndran: Yeah, I don't have much to offer in addition to what you just said, Jamil. I would just say that, you know, like going back to my business school days, right, you have the bigs, right? And then you have the smalls and, that small group of individuals or companies makes up a lot of opportunity space. So even for these types of criminal actors, it continues to amaze me whether we're talking about these microransoms or just initial access on the darknet, how cheap things really are to be cost effective as an adversary.

All right. Last for today, we're going to talk about an FBI advisory. Nothing too alarming here, but we just put out an advisory recently talking about where criminals are essentially impersonating the FBI's Internet Crime Complaint Center through social engineering-type of tactics, right? Whether that's phone calls, whether it's social media, emails, smishing, those types of things on a repeated basis.

And so the reason Jamil and I wanted to highlight this to you is not only for the awareness that there are impersonators out there routinely trying to impersonate the FBI. But this concept that, we're starting to hear probably too much that artificial intelligence is going to be able to defend effectively against most vectors. And I think there's significant concern, on my behalf, and I'll let Jamil speak for himself about how true that, but this is just a recent example of where there are no artificial intelligence controls that are going to be able to protect against these types of things. So, we want to raise awareness about what's going on. But also, double down on really these basics, right? That at a very human level, myself, Jamil, everyone else, we really need to take the right precautions to understand who we're talking to, who we’re engaged with, because before you know it, we could become a victim.

Farshchi: Yeah, it's…I guess the two key points I would have on this one is one, don't trust those texts that suggest they're from the FBI or the IRS or messages or whatever they might be, because they're typically not, I mean, 99.99%, I'm sure are not, if any are. So that's one, just in terms of good practice.

The other one that you're hitting on, this is a big thing for me. I feel like there's so much dialogue going on within the space today that says the only thing that can fight bad AI is good AI, and while that might be true and even to some degree today, there is some reality to that.

At some point. And I think that some point will arrive here sooner, rather than later, the two areas are going to converge. Good AI has started off and we're using it in many meaningful, unique ways to be able to help and in a ton of areas and security. But bad AI is going to is going to catch up.

And at some point, you're going to reach that area where you know, if you're talking about things like voice cloning, for example. Today you're able to identify bad…you're able to identify voice cloning through AI, by identifying different watermarks and characteristics of the voice channel that are…that make it clear that it's not that an actual person communicating.

But those fragments, those watermarks are going to be shortly, like pretty easy to be able to identify and using very simple transforms without any meaningful insider knowledge, you're going to be able to wipe those out. And so, it will be indistinguishable, a clone, whether it's a voice or video, between the real actual thing. And so, we need to not overly rely on AI to save the day across the board here. A lot of benefits, but we can't trust it to be the end all, be all, within that arms race because they will converge at some point. So we've got to look at other solutions around, you know, cryptography or binding identity at captured time and things like this to ensure that we're going to have sort of an identity or a trusted mesh, security approach because that single solution of just AI will not work in the long term. It may today, but it will not for long. And so, keep your guard up. And don't put too much faith in just one singular solution.

Vorndran: All right. Great. Well, that completes our Top Three. Again, the resurgence of LockBit, then microransoms. And then lastly, just a most recent scam, with impersonation of the FBI. Well, Jamil, as always, thanks to our audience. We’ll now go to a previously recorded episode.

___________

Vorndran: Welcome back to Ahead of the Threat. As always, Bryan Vorndran, assistant director of the FBI Cyber Division. And as always, joining me is Jamil Farshchi the chief technology officer at Equifax. Jamil, welcome back. Good to see you. I'll let you introduce our guest for today.

Farshchi: Thank you, Bryan, and welcome everybody. It is my distinct pleasure to welcome Meredith Griffanti to the show today. She is the head of crisis comms for cyber at FTI. And just in full disclosure, I have worked with Meredith. So, when I joined Equifax back right after the breach of 2017, Meredith led comms, and she and I were partners in crime as we worked through that whole initiative, I'll call it. And it's really, really great to have you on board. Meredith, maybe if you could just kick us off with a little bit of, background on yourself, I think it would help the audience contextualize where we're going to go.

Senior Managing Director, Cybersecurity and Data Privacy Communication at FTI, Meredith Griffanti: Yeah. No. Happy to. Well, thank you both for having me. I'm really excited to be here. It's…Jamil, it’s always a pleasure to see you again. So, I joined FTI from Equifax, where, as you said, I was the head of crisis communications during the 2017 breach. Ended up working, for your listeners, with Jamil for a couple of years after the breach, really helping to kind of win back trust and talk about the enhancements Jamil was making to the security program. Taught me everything I know about cyber. So, I always tell people that. And then came over to FTI in 2019 because I figured, you know, a lot of companies are going to go through what Equifax went through.

And I wanted to build a cyber crisis communications team to help companies prepare for incidents, figure out what they were going to be, you know, up against and how to really be thinking about their communications in advance. And then, of course, we parachute in, we help companies going through an active breach, whether that's ransomware, insider threat, APT, nation state, you name it, we've worked on it. And I'm pretty proud of what we've built over here. We've got a global team. I started off as a party of one. I've got about 40 people on the team now where this is all we do, all day, every day. So, I cross paths now with Bryan on our active incidents. So, this is a really fun opportunity for me to bring kind of my past and present lives, work lives together.

Vorndran: Well, Jamil, you want to go first? You want me to start?

Farshchi: Let me start. I'll start. So, Meredith, we went through the Equifax breach together, and I think we both learned a ton as we went through that. But why don't you give the audience maybe some inside baseball? In terms of what you've been seeing lately and maybe pick one of the, one of the events, ransomware or whatever that you've dealt with. That sort of, sticks out in your mind as a interesting and useful use case for the audience to learn from.

Griffanti: Yeah. I would say, well, there's two things we're seeing a lot of, I would say in 2025 thus far, a lot of APT Nation State activity in particular, the PRC, you know, targeting American companies. So, we've got a lot of cases going on right now that are sensitive and pretty exciting and a different muscle for us to flex because, you know, they're not as media heavy. We tend to be really preparing the clients for some sort of leak if and when that happens or disclosure. So that's sort of one thing we're seeing.

On the other hand, not as much traditional ransomware in the sense of massive encryption of systems, and, like, true operational disruption; it's more just kind of smash-and-grab-type stuff where companies are being extorted and kind of preparing for an eventual data leak.

So, our biggest case, I would say this year, which with the biggest impact, which was all over the media, was just a straight extortion case. So that's been interesting. It's still just really painful I would say, for the company in terms of, you know, threat actor putting pressure tactics on the company's C-suite, thinking about how to deal with things like, you know, AI-generated images of executives, flowers showing up on CEOs doorsteps with death threats. You know, just really creative and alarming scare tactics from the bad guys these days. So how do you kind of keep the executives calm? How do you keep the workforce calm if they're privy to some of that? So, yeah, just, you know, more mischief, I would say, in 2025.

Vorndran: So, when you think about preparing a client, or a company prior to a breach, prior to an intrusion, how do you teach them or how do you coach them to think through the problem ahead of time? Things that they should think about having in place? Where do you see repeatable gaps in your client base? Right? Where there is in the proper preparation?

Griffanti: So, I would say there's a couple of pain points that always seem to take our clients by surprise. The number one thing, well, I'd say there's three top things. One is they always tend to bring us and other vendors in a little bit too late. Like after it's hit the press, after they've 8K’ed something, after they've said something, they're going to have to walk back, which is always problematic. So, we try to train them when we're working kind of left of boom, if you will, to get used to calling us early because, you know, they, in particular the general counsels, the comms people that we're working with, they know they're industry stakeholders. They know kind of like what the most common crisis, I would say, is to their type of industry. Like, if you're a pipeline, you're really good at responding to oil releases. If you're an airline, you train every day on how to deal with, you know, fatalities with crashes.

But data breaches are just like, and then cyberattacks are just animals of their own. So, you really want, you know, outside counsel, outside comms people, where this is all we do all day, every day. You've maybe seen it once or twice in your career. We literally see it multiple times a day. Whether that's a specific threat actor group, a specific, you know, tactic they use, things that they can do in advance of, kind of the stuff hitting the fan. We want them to have us in the trenches with them from day one.

Great example, and it's a very public case that we worked on it. We actually won an award with the company for the crisis response. We worked with Colonial Pipeline on their ransomware attack. So, I'm allowed to talk about it, which is nice, because that's not typically the case with our clients. But, you know, I think their first call was to their forensic investigator. The incident happened at like 4 a.m. They called their forensic investigator at like five o’clock, right after they had shut down the pipeline. They called us at like 5:15. So that kind of partnership, I think, helps to avoid mistakes in the heat of the moment when you've got to get some—when you're under pressure to get some sort of communication out early. You want that to be accurate.

You don't want it to be anything, you have to walk back. So, I'd say that's kind of like one and two. Bring us in early. Don't say anything dumb that you are going to have to, you know, recant later. In particular, like don't get ahead of the forensic investigation. And then third and this is one we can dive into.

Can you guys tell I have a lot to say about this?

Farshchi: Keep going.

Griffanti: The underestimating of the influx that will come in from all different stakeholders. Regulators, employees, but mainly if you're a B2B company and even if you're a B2C company, you still have B2B partners, vendors, suppliers, distributors, you know other, types of organizations that you partner with that are going to be writing in, that are going to ask for one-to-one calls with the CISO.

They're going to want assurance of containment. They want IOCs. They want an attestation letter. They want a copy of the forensic report. All of that stuff, while you're in the middle of trying to stop the bleeding, getting dumped on privacy counsel or the CISO’s plate, it’s overwhelming. So, you know, in advance of an incident, we try to set up a system for a lot of companies, like some infrastructure around and some process and rigor for how they will intake all of that stuff so that it doesn't go into a black hole and then respond to it, right? In a way that's consistent, not speculatory, approved by legal counsel.

I know you guys have talked to cyber counsel in the past. So, that's a really, really important thing that can be done in advance. Sorry, that was a lot.

Farshchi: No, but it's true. I mean, I remember when we went through the one here, I even at one point got asked like they wanted my resume. You got missiles flying all over the place and there's just so many things.

Vorndran: Who asked you that, Jamil?

Farshchi: No. It was…I’ll tell you offline.

Vorndran: No, but was it counsel? Or was it…I’m not going to ask.

Farshchi: No, it was one of the regulators that wanted it in the midst of the firefight. Anyway, it's just an example of how chaotic it can be and all the random data requests and stuff that you get when you're when you're in the middle of trying to do the right thing.

So, Meredith, take us, you talked to a lot of executives and you're in a lot of boardrooms, as you go through these scenarios. What are what are some of the insights that you have throughout those discussions in terms of whether it's the preparedness of the board and the executives to deal with these kinds of things? But just as much, what are the kind of questions and sort of key topics that you all discuss when you're going through these situations that might be helpful to the listeners here so that folks can sort of prepare for what may occur when you're in these types of situation?

Griffanti: Sure. I'll kind of take it in two parts because there's certainly a deferent temperature, if you will, amongst the board and the C-suite when an incident is ongoing versus pre, which obviously makes sense. But I will tell you one of my favorite, I shouldn't say favorite, but every CEO goes through this moment during a ransomware incident in particular where they just have to get it out and they're like, ‘I am going to draft a statement and we are going to say, these are cyber terrorists who have launched an attack on a private company and on American soil, and we're going to call them terrorists.’ And you just kind of have to let them like, get it out, put it down on paper, explain to them why it's not a good idea in particular, because, you know, they didn't have MFA enabled or, you know, just didn't retire that legacy system. You guys get what I'm saying.

Farshchi: They’re missing a basic control. So, it kind of undermines the argument. Yeah.

Griffanti: You know, Jamil, you and I have been talking about this since I met you, right? Like, what, however many years ago that was, seven, eight years ago. Gosh, it's been a while now.

Farshchi: Yeah, I know. It’s crazy.

Griffanti: But, you know, that every CEO has to go through that moment of why the fundamentals, why the basic blocking and tackling wasn't in place and why we shouldn't call the bad guys terrorists and aggravate them further. In particular, when they're trying to reach a settlement or avoid a data leak or whatever it is.

So, the temperature is high. I mean, you know, these executives are—if they're publicly traded, like we talked about, they're dealing with pressure from their biggest customers. They're dealing with regulatory pressure. Some of them are getting called and invited to testify in front of Congress a couple of days after the breach goes public. They've got shareholders and the board to worry about. So, it's always very high pressure. You know, it's a matter of kind of walking them through a lot of what I just went through: Why messages need to be consistent. Why we can't tell the market one thing and your biggest customers another thing. How to keep customers and their temperature, I would say, in check by giving them the right things that they're looking for from the company, like IOCs, like a webinar with the CISO to talk through what they've found thus far–if legal counsel will allow that—you know, and to talk about where they are in the investigation.

So, it's usually kind of bringing them along in the journey with you and explaining to them like the ebbs and flows that any typical incident, well, in particular ransomware will take.

It's like the operational disruption responding to customers and inbounds. It's the lull around the e-discovery process when you're trying to figure out what data was impacted. It's the notifications and then the subsequent media scrutiny when you have to make those state AG notifications that say how many people were impacted by the breach.

Pre-incident, I would say, you know, the temperature's very different, right? It's always a challenge to get folks to pay attention to this. I think you will hear a lot of people say, you know, comms and the reputation management around incident response is one of the hardest parts of incident response. Yet there's never enough budget to put the preparedness plan together to do the tabletop exercise. Everyone wants it on the cheap and wants it to be you know, a check-the-box type of thing.

I will say, I think that's getting better. In recent months and years, I think that boards are taking cyber much more seriously. Like you said, Jamil, we're in a lot more boardrooms now pre-incident presenting on, kind of, lessons learned, best practices. A lot of them want to know and hear from us. Like, ‘what are you seeing other companies do?’ ‘How are boards thinking about cyber governance?’ ‘What role should the board play?’

They're still not super technical savvy, technically savvy, if you will. Which, you know, is to be expected all of them have taken like an NACD course and gotten a certification and they think they know what they're talking about. But you know, you know how it goes.

So, I think it's coming along. A lot of, you know, CISOs now are getting on the board’s agenda on a more regular basis. I think we still struggle, still see CISOs struggling to be that, you know, business executive and leader in the boardroom.

We did some research, a couple, last year and the year before. And, you know, CISOs I think just feel this pressure to paint a better picture of the state of the business, I think you would say, in front of the board. And whether that's the executives putting pressure on the CISO or whatever, I don't know. But that's still definitely a challenge. Like we have a big incident going on right now. And, you know, one thing, the board said to me and, and executives said to me just yesterday was, ‘We just had, you know, the CISO in here presenting last week alongside of our external, you know, cyber partners. And they said we were all green. We were good to go. How did this happen?’

Vorndran: We've talked on here, Meredith, about that audit committee piece and trusting those dashboards quite extensively. And I think you hit the nail on the head, right? It's a checkbox versus a thorough assessment, right? And I think that's risky.

Okay, so test your comms knowledge because I don't have a background. There's customers to communicate with, there’s suppliers to communicate with. There's employees to communicate with, there's the public to communicate with, and then there's all other things that can cause pain. Right? You know, regulators, etc. How do you help companies prioritize those? And from your perspective, what is the most important group of people to communicate with early? And post-intrusion, that is. And then just…Jamil knows I'm super passionate about this kind of supply chain, third party risk area.

I would just be interested in—you may not have any examples in your background—do you have any examples where there was an upstream compromise, whether that's through static credentials into a corporate environment from a supplier whether physical or virtual, in terms of software, actual product? How do you communicate back with them when they're the root cause of what happened? So just interested in your thoughts on those.

Griffanti: Great questions. So, first question first, around the prioritization of stakeholder communications. I would say it generally depends on what kind of company and business you are. I mean, we've worked for, you know, local municipalities and small school systems and hospitals with 10 beds. But we've worked for Fortune 10 companies, too, on cyber incidents. Unanimously, I think almost always employees and the front line at a company, whether that's the people answering the phone at the reception desk or the customer service folks or, you know, just your general, you know, HR employees or whatever it is. They need to hear about the incident first, typically before they read about it in the press or in an 8-K filing, or a customer calls them up and sees, you know, something on the dark web.

So, I've always felt—and maybe this is a little bit of my PTSD from Equifax and my time actually being an employee of a company that went through an incident—that your employees truly can be like your best advocates and brand ambassadors and all of those things, and you don't want to leave them in a lurch. And a lot of times we're dealing with companies that have a really large global salesforce or customer support organizations, and you need those folks to be your first line of defense, meaning they're going to get questions from their customers. They're going to be getting, you know, questions from the public or whatever, and you want to get them the right talking points and Q&A and all of those things so that everyone's speaking from the same script and not shooting from the hip and making promises that, you know, aren't going to hold up in the grand scheme of things.

So, to me, that's really, like, the foundational building block of incident response comms, like, how do we get those folks what they need to do their jobs? And then importantly, you know, a bunch of FAQs and talking points on paper only goes so far, which is why I say it's a first line of defense. What’s the…and this is what my team spends a lot of time doing. What's the escalation path for them? If you know top tier customer that makes up 40% of the company's revenue is banging down the salesperson's door and talking points and FAQ aren't cutting it, where do you kind of escalate that to next? In a way, that's not like we open the floodgates for the CISO or the CEO or board member to spend, you know, 12 hours a day on the phone with customers but we're actually figuring out what we need to do in terms of like, white glove service for those who really need it?

Vorndran: Yeah, Aron Ain, talked about that in our first episode with the UKG Kronos breach. Talked about this exact thing, how he split off certain customers and he dealt with them personally and I think, in his mind, very appropriately, personally.

Griffanti: Yeah. That makes a ton of sense. So, your second question was, ‘Have I seen a supply chain incident in which an upstream compromise affects downstream customers?’ Right? Or, suppliers, distributors…

Vorndran: Yep. And how did you then communicate back or guide the company to communicate. You may not have an example though.

Griffanti: I do. I do. I have recently seen this in 2025, actually. Smaller incident, but exactly what you described happened. It was actually an upstream MSSP, and the encryption and actual malware spread to their customers’ networks. And the threat actor was able to pull down files from the downstream customers’ networks, as well.

I mean, it's so tough, right? Because nowadays you really can't finger point and be like, well, it's not my problem. It's the, you know, vendor or the MSSP or whatever it is. I think every company is responsible for their third-party vendor, supplier, whatever security audits and programs and onboarding. So, I think from a comms standpoint, there's a way to say like, you know, this wasn't my incident, but also taking ownership of, hey, we're going to work with them to do the right thing by the folks that were affected that we need to get notifications out to and all that stuff.

If it's your data, at the end of the day, you really have to still take ownership for the part of the incident that impacts you.

Vorndran: Got it.

Farshchi: I want to pick up on that, but I wanted to view it from a different lens. So, the company that…the organization that had the incident…we've had several examples over the years. There's one actually quite recently where through some level of nuance or technicality, the organization chose to maybe not be as transparent about the culpability of the incident and the recognition that it occurred as maybe they should have.

What’s the…and I get to some degree like, I understand why hey, there's some nuance here. And so, you know, we don't want to take it on the chin if you're that organization. And so, you want to try to walk away from it to some degree. It causes a tremendous amount of consternation throughout the industry. Folks in my role, for example, as you're trying to figure out, like, what's up, and what's down, and what kind of remediation measures you need to put in place. So, it's painful as heck as on the customer side for sure.

But what's your advice for companies that are going through situations like that, that were the victims of an incident but are struggling to figure out what kind of approach to take from a transparency standpoint, about announcing the incident and some of the details therein.

Griffanti: I think it's always a dance, right. Because now in particular with ransomware and operational disruption and with some of the SEC requirements to disclose as quickly as, you know, companies need to make a materiality assessment and disclose. You kind of get bombarded with those exact questions, Jamil, from all of your vendors and partners and customers before you may really have your arms around, what exactly happened. The extent of the compromise.

You also might still be negotiating with the threat actor. You might not have containment, and you might be scared that the threat actor is still in your environment and reading your emails. And the things you're telling your customers, plus, usually there's, as I said before, this period in which it stops being about the incidents, the incident details like the forensic details and more about data impact.

And it just takes a long time. And I feel like there should be more grace in the industry around that topic because folks have all been through this. They know that, you know, threat actors don't reach in and grab a nice, neat spreadsheet that's perfectly organized of, you know, structured data. It's often unstructured. It can be terabytes. It has to go through e-discovery. You have to then figure out if it's business sensitive, if it's PII, what organization it belongs to. Like it just takes time. And I think sometimes there's a reluctance to get out there and say data was exfilled or data was stolen because, you know, the organization knows it's going to be a while before they have concrete answers for their customers.

And I feel like in particular, big organizations should know that and give a little grace when it comes to that versus every day sending in the same friggin’ security questionnaire that says, like, ‘Was there impact to my data?’ ‘Was there impact to my data?’ ‘What new…’ you know. So, I don't understand the companies that are reluctant to be transparent around the IOCs.

They do have, at that particular point in time, threat actor attribution. You know, things that would generally be helpful to industry partners and peers. I really don't get that; they're getting some bad legal counsel is usually what the issue is. I do understand, you know, organizations that are smaller, that service, you know, Fortune 500 companies, but maybe more in the fintech startup space or maybe more in the whatever it is, industrial, tech, startup, health care tech. Like they're not equipped and set up with the types of processes and, you know, outside counsel from a legal standpoint, from a vendor incident response standpoint, sometimes they might just be getting, you know, run-of-the-mill vendors that they've never met from insurance carriers. So, there's a lot at play and a lot that's going on behind the scenes. Is that helpful in terms of answering your question?

Farshchi: Yeah, I was just…first a couple of responses there. One, I completely agree that the data analysis component, we need to give folks grace. I don't think most understand the level of complexity there and how difficult and time consuming it is to actually make sense of this stuff, not to mention just trying to figure out what exactly was exfilled much less putting it all back together and reconstructing it.

So, you have and that balancing act between, hey, do we go all in and say everything was compromised and scare that and, like, make it a wider blast radius than maybe it in fact was and scare a bunch of people or do we do that? So, I totally get that aspect.

I guess where I was going with that was more around your level of transparency and just straight up denial that something occurred until you complete that analysis versus, we're investigating. ‘We don't know, but we're looking into it,’ which I feel like there's quite a bit of acceptance from the community that, hey, these things take a while, maybe you don't know, but don't say no. Nothing happened here. And make everyone sort of placate everyone or attempt to, meanwhile, you know, more is really going on behind the scenes.

Griffanti: Yeah. I think I might know what you're referring to.

Farshchi: Yeah, I think you do.

Griffanti: I have no idea. I mean, again, bad communications counsel.

Farshchi: They needed you, Meredith.

Griffanti: And I know, in particular, I think, without being too direct, there are a number of big incidents that have occurred this year and last year where the company kind of hunkered down and said, we got this. We know what we're doing. We don't need outside comms help. We don't really need to listen to our advisors. We know best. And I think it's an arrogant attitude and I think, you know, I think that lack of transparency really hurts reputation, business relationships, stock price, whatever. It hurts in the long run. So, you know, I don't know what else to say about that, not my counsel.

Vorndran: One of the questions I get all the time is, ‘Are the Salt Typhoon actors out of the telco environment here in the United States?’ And we’re not going to spend too much time here. But, you know, to your point about disciplined communication mattering, Meredith, I believe it was New Year's Eve. I can't remember which company actually published a press statement because the question is, are the Chinese out of it, permanently evicted from the US telecom space?

And those of us in industry, you know, or even in my job, know that guaranteeing that is almost impossible. Given the sophistication of the adversary. Also, given the fact that our telcos are built for speed more than security. But I thought the press release was very, very, specific and they wording that said, “at this time we do not see any activity.” Right? What they did not say is they're guaranteed that they're out. But to your point about precision and messaging mattering.

Just one other note, because we got to wrap up here soon and then maybe Jamil, I'll go to you.

Griffanti: My gosh, I could talk to you guys all day.

Vorndran: I know. You know, I think the FBI has been asked for comms help from victims over the past four or five years post-intrusion, and we're always—I just message to the audience—we're always happy to take those requests in and see what we can do. Certainly, and one example, and I know the company and the CEO wouldn't mind me sharing here because we've talked publicly before, but as when Kaseya in July of 2021. Right?

They were being overwhelmed with press inquiries, to the point that they could not focus on their core business, their employees and remediation. And there's public messaging from the FBI that all press requests about Kaseya were to be directed to the FBI. And so, we kind of served as a front door to buffer them. We can't do that in every case. But we've also shared remediation guidance on behalf of victims publicly. So just a PSA for the audience here about one other way the FBI can try to help.

But, Jamil, maybe I go to you for one more question.

Farshchi: Well, it's also a PSA for Meredith, because now you just…I just found out you just got a new competitor, for your business.

Griffanti: I was actually going to compliment Bryan because, you know, your team has been incredibly helpful to mine on a couple of cases, similar to the one you just outlined. From a press and comms standpoint. So, thank you for that very much.

Vorndran: No, of course. Of course.

Farshchi: So let me ask one last question if we're running out of time here. And let's shift over to the CISOs and you and you touched on this a little bit before, but, when you talk to CISOs and you engage with them during these events, or not actually, or even on a day-to-day basis, what are the areas of communication that you think CISOs need to improve on most?

Griffanti: How much time do we have? Just kidding. I think it's mostly taking the metrics and KPIs that they're all showing and simplifying them. And really figuring out how to make those, how to make things resonate with a non-technical audience. So, it's really like I feel like we see one of two things. We see 20-page board decks and the CISOs frustrated because it's like, ‘I only got through my first three slides and all the good stuff was in the end.’ Or we see, really simplistic like, this is how many phishing attacks we stopped. This is our mean time to the attack. This is our mean time to respond.

So, it's like, how do you come up with metrics that are meaningful, repeatable, and are showing progress against whatever the long-term roadmap is, the priorities that the CISO has for their security program? So that's what I think they really struggle with the most, is, metrics, some sort of format and, repeatable presentation that they can show that lands with the board. And then lastly, I had a last thing, but now it's escaping me. Yeah. I think that's a good place to kind of wrap it.

Vorndran: All right. Jamil, anything else?

Farshchi: No, this is fantastic. Meredith, thank you so much for your time. Genuinely appreciate it. And I think, as a final PSA for everybody, and I speak from experience here, having expert guidance as it relates to communications when you go through situations like this is absolutely imperative. I'm one of these folks who prior to working with Meredith and learning how valuable it was, I pooh-poohed it. I always thought, ‘Oh, you know, I can do it.’ I was one of those people, Meredith, who was like, ‘I could do it myself. We don't need this.’ And it wasn't until the situation that we had, when I went through this soup-to-nuts with you, that I really grew to appreciate it to a massive degree. And so, I highly recommend it.

And for any of you all who do not have that kind of engagement and, have that support system from a third-party standpoint, I advise you heavily to try to do it, as quickly as you can so you can be as prepared as possible in the event that something bad does happen.

Vorndran: Meredith, I just want to say thanks for joining us today and for your partnership. And look forward to working with you, out of professionalism, but also not at the behest of victims in those moments. Right? It's important to all of us. But thank you for your time today.

Griffanti: No, thank you guys so much. This was a ton of fun. And I really appreciate it. It was great to be here.

_________

Vorndran: Well, Jamil it was really, really, interesting for me to listen to the thoughts that Meredith had during that episode, and I always value the episodes that we do most when there are very specific things that I can take away. So maybe I'll hit one or two of those. I'm sure you have one or two.

She was very specific in her guidance about early, early engagement with a comms specialist post-intrusion, but also a note towards having those relationships and those corporate relationships in place.

She also talked about being very specific in choice of language so that you're A: proactive, but also B: so you don't have to recant things that were inaccurate, you know, noting that some of these things take a little bit of time to truly evolve.

And then I think the third thing that she mentioned that I…is just true from my experience, is the volume of requests going into a victim's environment post-intrusion is very, very high, whether that's from customers, suppliers, employees, regulators, you know, any other number of people domestically or globally. And just accounting for that in your preparatory steps. Those are just some of the really key takeaways I had.

Farshchi: No, those are those are good ones. I agree with you. Look, I'm biased. I used to work with her. She's fantastic. But look, I think in security, we cite reputation constantly as a major reason for what we do, to be able to help protect the organizations that we serve at. Security is one part of that It’s a big part of that.

But when these incidents occur, communications is an equally significant portion of your ability to be able to navigate those difficult situations. And so, I just highly recommend taking her advice and lining up, whether it's early and often or whatever, this communications expertise. So that's my…that’s the first takeaway.

The second one is around preparation. And she talked about this a fair amount early on in the conversation about the number of times she goes into organizations and talks to CEOs or goes through the boards and does these crisis exercises and how they used to not occur very often. But she's starting to see a trend where organizations are taking this more seriously.

You’re going to…at game time you’re going to play how you had practiced before. It's just a fact of life. And so, leaning in and, even though there's a million other priorities at any given point in time before something like this happens, and so it's easy to get distracted or put it down on the priority list.

Take the time. Take the time. Get the right people in the room, go through these exercises and prepare. Because I can assure you that when you go through situations like this, there will be curveballs all over the place. There will be data requests like you were just referencing that come out of the woodwork that you're not prepared for. There'll be differences of opinion in how to respond, and what kind of approach you want to take to these things. Ironing that out, at least getting a substantive direction, and alignment on that amongst the key stakeholders is absolutely essential.

And organizations like hers, or even if you just do it internally, those kind of things are highly critical in any kind of event that you're going to have to go through. So, I thought it was a great discussion, was great to see her again. And hopefully provided some meaningful insight for the audience.

Vorndran: Thanks, Jamil. Well, for our audience. We'll see you soon. Thank you.

Farshchi: Thank you guys.